The access JWT lives only 10 minutes, so the SPA constantly refreshes it via the single-use, rotation-on-use refresh cookie. The only concurrency guard was the Web Locks API, which exists exclusively in secure contexts. On insecure HTTP deployments there is no coordination, so triggers that fire close together (initial load, proactive timer, focus handler, 401 interceptor) each POST with the SAME cookie before the rotated Set-Cookie lands. One rotates successfully, the other matches 0 rows and gets a 401, and the loser bounces the user to /login even though the rotation actually succeeded. A: add a module-level in-flight promise in refreshToken() so concurrent calls in the same tab share one underlying refresh, in every context (HTTP included), independent of navigator.locks. The existing Web Locks usage stays as the secondary cross-tab layer for secure contexts. D: retry the refresh exactly once before treating a failure as a real logout. After a lost race the browser cookie is already the rotated valid one, so a fresh second attempt succeeds; only if both fail do we log out. Implemented DRY via refreshTokenWithRetry() used by renewToken() and the expired-JWT path in checkAuth(). The happy path (single tab, secure context, no race) is unchanged. Fixes #2863 |
||
|---|---|---|
| .. | ||
| docs | ||
| originalMedia | ||
| public | ||
| scripts | ||
| src | ||
| tests | ||
| .editorconfig | ||
| .env.local.example | ||
| .gitignore | ||
| .npmrc | ||
| .nvmrc | ||
| .stylelintrc.json | ||
| CHANGELOG.md | ||
| LICENSE | ||
| README.md | ||
| cliff.toml | ||
| embed.go | ||
| env.config.d.ts | ||
| env.d.ts | ||
| eslint.config.js | ||
| histoire.config.ts | ||
| index.html | ||
| netlify.toml | ||
| package.json | ||
| playwright.config.ts | ||
| pnpm-lock.yaml | ||
| tsconfig.app.json | ||
| tsconfig.config.json | ||
| tsconfig.json | ||
| tsconfig.vitest.json | ||
| vite.config.ts | ||
README.md
Web frontend for Vikunja
The todo app to organize your life.
This is the web frontend for Vikunja, written in Vue.js.
Take a look at our roadmap (hosted on Vikunja!) for a list of things we're currently working on!
For general information about the project, refer to the top-level readme of this repo.
Project setup
pnpm install
Development
Define backend server
You can develop the web front end against any accessible backend, including the demo at https://try.vikunja.io
In order to do so, you need to set the DEV_PROXY env variable. The recommended way to do so is to:
- Copy
.env.local.exampleas.env.local - Uncomment the
DEV_PROXYline - Set the backend url you want to use
In the end, it should look like DEV_PROXY=https://try.vikunja.io if you work against the online demo backend.
Start dev server (compiles and hot-reloads)
pnpm run dev
Compiles and minifies for production
pnpm run build
Lints and fixes files
pnpm run lint
License
This project is licensed under the AGPL-3.0-or-later license. See the LICENSE file for details.